Control: SSL/TLS servers should use strong key exchange mechanism (e.g., ECDHE)

Description

It is recommended to use strong key exchange mechanism to keep data being transferred across the network more secure. Both parties agree on a single cipher suite and generate the session keys (symmetric keys) to encrypt and decrypt the information during an SSL session.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_use_strong_key_exchange

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_use_strong_key_exchange --share

Steampipe Tables

net_tls_connection

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

with domain_list as (
  select
    domain,
    concat(domain, ':443') as address
  from
    jsonb_array_elements_text(to_jsonb($1 :: text [ ])) as domain
),
all_ecdhe_ciphers as (
  select
    address,
    version,
    cipher_suite_name
  from
    net_tls_connection
  where
    address in (
      select
        address
      from
        domain_list
    )
    and version in ('TLS v1.3', 'TLS v1.2')
    and cipher_suite_name in (
      'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
      'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
      'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
      'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
      'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
      'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
      'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
      'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256',
      'TLS_AES_128_GCM_SHA256',
      'TLS_AES_256_GCM_SHA384',
      'TLS_CHACHA20_POLY1305_SHA256'
    )
    and handshake_completed
)
select
  d.domain as resource,
  case
    when (
      select
        count(*)
      from
        all_ecdhe_ciphers
      where
        address = d.address
        and version = 'TLS v1.3'
    ) > 0 then 'ok'
    when (
      select
        count(*)
      from
        all_ecdhe_ciphers
      where
        address = d.address
        and version = 'TLS v1.2'
    ) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (
      select
        count(*)
      from
        all_ecdhe_ciphers
      where
        address = d.address
        and version = 'TLS v1.3'
    ) > 0
    or (
      select
        count(*)
      from
        all_ecdhe_ciphers
      where
        address = d.address
        and version = 'TLS v1.2'
        and split_part(cipher_suite_name, '_', 2) = 'ECDHE'
    ) > 0 then d.domain || ' uses strong key exchange mechanism.'
    else d.domain || ' does not use strong key exchange mechanism.'
  end as reason
from
  domain_list as d;